From 401ef08af34e765a9abe0a6e58f92dd898628a27 Mon Sep 17 00:00:00 2001
From: alemi <me@alemi.dev>
Date: Mon, 13 May 2024 18:53:03 +0200
Subject: [PATCH] fix: shared inbox MUST NOT contain private stuff

---
 src/routes/activitypub/inbox.rs | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/routes/activitypub/inbox.rs b/src/routes/activitypub/inbox.rs
index ac5cabd..1aec234 100644
--- a/src/routes/activitypub/inbox.rs
+++ b/src/routes/activitypub/inbox.rs
@@ -1,5 +1,6 @@
 use apb::{server::Inbox, Activity, ActivityType};
 use axum::{extract::{Query, State}, http::StatusCode, Json};
+use sea_orm::{sea_query::IntoCondition, ColumnTrait};
 
 use crate::{errors::UpubError, server::{auth::{AuthIdentity, Identity}, Context}, url};
 
@@ -19,7 +20,8 @@ pub async fn page(
 ) -> crate::Result<JsonLD<serde_json::Value>> {
 	crate::server::builders::paginate(
 		url!(ctx, "/inbox/page"),
-		auth.filter_condition(),
+		crate::model::addressing::Column::Actor.eq(apb::target::PUBLIC)
+			.into_condition(),
 		ctx.db(),
 		page,
 		auth.my_id(),